Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Check for the unique accounts in Endpoint Account Name Rule Advanced Query

Go to solution
binoy
New Contributor III
New Contributor III

‎01/08/2024 06:09 PM

We have an Endpoint for Active Directory accounts. We want to create unique AD accounts for new joiners. For eg. for user 1 with name 'Amit Sharma', Saviynt should create an AD account with DN: 'CN=Amit Sharma,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local' and for another user2 with same name 'Amit Sharma', Saviynt should create another AD account with DN: ' CN=Amit Sharma1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local'. We have configured the "Account Name Rule" with Advanced Config because we want the distinguishedName as the Account name.

concat('CN=',users.displayname,',OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')

But Saviynt always attempts to create a task with Account name: 'CN=Amit Sharma,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local' for the 2nd user instead of 'CN=Amit Sharma1' and the Task status results in 'Error' with error message: 'Account with same name already associated to another user - (299849) in the same endpoint, so task is not processed'.

It does not even go to the ADSI connector configuration in the logs. Security System is configured with ADSI Connector.

We don't want to use Basic Config Auto Increment option as it does not satisfy our DN requirement. We also do not want to use FN_EIC_SEQGEN DB function because it will always append a number for all AD accounts even if they are unique.

Is this possible in Saviynt? The same works in 'System Username Generation Rule' and 'Email Generation Rule'.

The Saviynt logs has a message: "Checking for endpoint : 6 and entitlements-NULL; ExistingAccObj-null" which leads me to suspect it maybe a Saviynt bug.

Labels:
Preview file
39 KB
Preview file
7 KB
0 Kudos
14 REPLIES 14

Go to solution
rushikeshvartak
All-Star
All-Star

‎01/08/2024 06:13 PM

Remove - Check Unique Account :  & Run microservices Job

 

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
binoy
New Contributor III
New Contributor III
In response to rushikeshvartak

‎01/10/2024 01:17 AM

Thanks @rushikeshvartak. I removed the Check Unique Account and ran the microservice job. It didn't help. I can see in the logs: ExistingAccObj-null. Saviynt didn't detect an existing account object before creating the Task. But later when executing the Task, Task status results in 'Error' with error message: 'Account with same name already associated to another user - (299849) in the same endpoint, so task is not processed'.

0 Kudos

Go to solution
binoy
New Contributor III
New Contributor III
In response to binoy

‎01/15/2024 10:39 PM

Hi

This suggestion didn't work. Is there any other suggestion please or is it a bug that Support needs to look into?

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to binoy

‎01/15/2024 10:50 PM

Did you raise new request


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to binoy

‎01/18/2024 05:20 AM

When you raise new account does account name properly shown ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎01/18/2024 01:02 AM

Hello @binoy,

Can you try to add  "All" in Check Unique Account and try again.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
binoy
New Contributor III
New Contributor III

‎01/18/2024 09:44 PM

Hi @sudeshjaiswal 

I've tried with 'All' in Check Unique Account. It didn't help and its still the same error.

Thanks

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to binoy

‎01/18/2024 10:04 PM

delete and recreate rule


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
binoy
New Contributor III
New Contributor III
In response to rushikeshvartak

‎01/19/2024 01:05 AM

Tried that. Switched to 'Basic Config' which deleted the previous rule and switched back to 'Advanced Config'. Did not help.

This is a simplified version of our Advanced Config, we have to specify the whole DN as the Account ID because of two AD domains.

concat('CN=',users.displayname,',OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'2,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')

 

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to binoy

‎01/19/2024 05:52 AM

Issue still exists ?

does second account name populate on ars ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Go to solution
binoy
New Contributor III
New Contributor III
In response to rushikeshvartak

‎01/22/2024 06:44 PM

Hi @rushikeshvartak 

It works from ARS. There is a log statement "Account CN=... exists so ignoring rule..." and it evaluates the 2nd user account name rule.

However, it still fails from Technical Rule. The issue is it does not detect the existing account.

ars_generateAccountName.log
Preview file
7 KB
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to binoy

‎01/22/2024 08:56 PM

Its looks like defect, Please raise support ticket


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Go to solution
binoy
New Contributor III
New Contributor III

‎01/22/2024 09:18 PM

Thanks @rushikeshvartak 

Isn't this a basic use case that other customers would have implemented already?

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to binoy

‎01/22/2024 09:21 PM

ideally it should work but via technical rule its not printing rule itself


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
Copyright © 2024 Khoros, LLC